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Abstract — Security aspects of the Index Coding witii Side 
Information (ICSI) problem are investigated. Building on the 
results of Bar-Yossef et al. (2006), the properties of linear 
index codes are further explored. The notion of weak security, 
considered by Bhattad and Narayanan (2005) in the context 
of network coding, is generalized to block security. It is shown 
that the linear index code based on a matrix L, whose column 
space code C{L) has length n, minimum distance d and dual 
distance d^, is (d — 1 — f)-block secure (and hence also weakly 
secure) if the adversary knows in advance t < d — 2 messages, 
and is completely insecure if the adversary knows in advance 
more than n — d""" messages. Strong security is examined under 
the conditions that the adversary: (i) possesses t messages in 
advance; (ii) eavesdrops at most /i transmissions; (iii) corrupts 
at most 5 transmissions. We prove that for sufficiently large q, an 
optimal linear index code which is strongly secure against such 
an adversary has length Kg + + Here Kq is a generalization 
of the min-rank over Fq of the side information graph for the 
ICSI problem in its original formulation in the work of Bar- 
Yossef et al. 

I. Introduction 

The problem of Index Coding with Side Information (ICSI) 
was introduced by Birk and Kol 11], Q. It was motivated by 
applications such as audio and video-on-demand, and daily 
newspaper delivery. In these applications a server (sender) 
has to deliver some sets of data, audio or video files to 
a set of clients (receivers), different sets are requested by 
different receivers. Assume that before the transmission starts, 
the receivers have already (from previous transmissions) some 
files or movies in their possession. Via a slow backward 
channel, the receivers can let the sender know which messages 
they already have in their possession, and which messages 
they request. By exploiting this information, the amount of 
the overall transmissions can be reduced. As it was observed 
in Ii], this can be achieved by coding the messages at the 
server before broadcasting them out. 

Another possible application of the ICSI problem is in 
opportunistic wireless networks. These are networks in which 
a wireless node can opportunistically listen to the wireless 
channel. As a result, the node may obtain packets that were 
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not designated to it (see O-ll]). This way, a node obtains 
some side information about the transmitted data. Exploiting 
this additional knowledge may help to increase the throughput 
of the system. 

Consider the toy example in Figure 1 . It presents a scenario 
with one sender and four receivers. Each receiver requires a 
different information packet (or message). The naive approach 
requires four separate transmissions, one transmission per an 
information packet. However, by exploiting the knowledge of 
the subsets of messages that clients already have, and by using 
coding of the transmitted data, the server can satisfy all the 
demands by broadcasting just one coded packet. 

The ICSI problem has been a subject of several recent 
studies f3l, f6l-fT2^. This problem can be regarded as a special 
case of the well-known network coding (NC) problem lfT3] . 
|14|. In particular, it was shown that every instance of the NC 
problem can be reduced to an instance of the ICSI problem f3l. 



has a;2, X3, 2:4 
requests xi 



has 0:2, X3 
requests a;4 




has xi, a;3, Xi 
requests X2 

Fig. 1: An example of the ICSI problem 



has Xij X2,X4 
requests X3 



Several previous works focused on the design of an efficient 
index code for the ICSI problem. Given an instance of the 
ICSI problem, Bar-Yossef et al. |6| proved that finding the 
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best scalar linear binary index code is equivalent to finding 
the so-called min-rank of a graph, which is known to be 
an NP-hard problem (see [6J, L15J ). Here scalar linear index 
codes refer to linear index codes in which each message is 
a symbol in the field Fg. By contrast, in vector linear index 
codes each message is a vector over F^. Lubetzky and Stav 
Q showed that there exist instances in which scalar linear 
index codes over nonbinary fields and linear index codes over 
mixed fields outperform the scalar linear binary index codes . 
El Rouayheb et al. Q, IfTOl showed that for certain instances 
of the ICSI problem, vector linear index codes achieve strictly 
higher transmission rate than scalar linear index codes do. 
They also pointed out that there exist instances in which vector 
nonlinear index codes outperform vector linear index codes. 
Vector nonlinear index codes were also shown to outperform 
scalar nonlinear index codes for certain instances by Alon et 
al. lfT2l . Several heuristic solutions for the ICSI problem were 
proposed in [9J, [11 J. 

In this paper, we study the security aspects of linear index 
codes. We restrict ourselves to scalar linear index codes. It 
is known that vector linear index codes can achieve better 
transmission rate than their scalar counterparts, for certain 
instances of the ICSI problem |3 |, [10|. However, if the block 
length is fixed, one can model a vector index code as a scalar 
index code applied to another instance of the ICSI problem. 
If the block length is £, the number of messages is n, and 
the number of receivers is m in the original (vector) instance, 
then the equivalent (scalar) instance can be viewed as having 
£n messages and £m receivers. 

Let ¥q be a finite field with q elements. In its most general 
formulation, a linear index code maps x E onto {x\g) L, 
where g e F^ is a random vector, L is an (n + rj) x N matrix 
over ¥q, and n,ri,N e N. In this work, we show that each 
deterministic linear index code (i.e. ?7 = 0) provides a certain 
level of information security. More specifically, let the code 
C{L) be spanned by the columns of L, and let d and d,-^ be 
its minimum distance and dual distance, respectively. We say 
that a particular adversary is of strength t if it has t messages 
in its possession. Then, we show that the index code based on 
L is (rf — 1 — f)-block secure against all adversaries of strength 
t < d—2 and is completely insecure against any adversary of 
strength at least n ~ d-^ + 1. If C{L) is an MDS code, then 
the two bounds coincide. The technique used in the proof for 
this result is reminiscent of that used in the constructions of 
(multiple) secret sharing schemes from linear error-correcting 
codes lfT6l . ifTTl . The results on the security of linear index 
codes can be further employed to analyze the existence of 
solutions for a natural generalization of the ICSI problem, so- 
called the Index Coding with Side and Restricted Information 
(ICSRI) problem. In that problem, it is required that some 
receivers have no information about some messages. 

In the sequel, we also consider a non-deterministic linear 
index code, based on the use of random symbols (i.e. 77 > 1). 
We show that the coset coding technique (which has been 
successfully employed in Secure Network Coding literature, 
see, for instance llT8l -l|22l) gives an optimal strongly secure 



linear index code of length Kg + /i + 26. This index code is 
strongly secure against an adversary which: 

(i) has t arbitrary messages in advance; 

(ii) eavesdrops at most ^ transmissions; 

(iii) corrupts at most S transmissions. 

Previous works on the security aspects (and on the error- 
correction aspect, as a special case) of network coding dealt 
with the multicast scenario. One of the main reasons for this 
limitation is that the optimal simultaneous transmission rates 
for non-multicast networks have not been fully characterized 
yet. The ICSI problem can be modeled as a special case 
of the non-multicast Network Coding problem ( fi], fT2\). 
Moreover, being modeled in that way, it requires that there 
are directed edges from particular sources to each sink, which 
provide the side information. The symbols transmitted on these 
special edges are not allowed to be corrupted, where usually 
for network coding any edge can be corrupted. These two 
differences restrict the ability to derive the results on the 
security of the index coding schemes from the existing results 
on security of network coding schemes. 

The paper is organized as follows. Notations and definitions, 
which are used in the rest of the paper, are introduced in 
Section HI] The model and some basic results for the ICSI 
problem are presented in Section [III] The block security of 
linear index codes is analyzed in Section |IV] In particular, the 
Index Coding with Side and Restricted Information problem is 
presented and analyzed in Section HV-EI Section [V] is devoted 
to the analysis of strong security for index coding. The paper 
is concluded in Section |Vll 

II. Preliminaries 

Recall that we use the notation F^ for the finite field with 
q elements, where g is a power of prime. We also use F* for 
the set of all nonzero elements of F^. Let [n] denote the set of 
integers {1, 2, . . . , n}. For the vectors u = {ui, U2, . . . , Un) G 
F^' and v = {vi,V2, . . . ,Vn) S F^', the (Hamming) distance 
between u and v is defined to be the number of coordinates 
where u and v differ, namely, 

A{u,v) ^ \{i G [n] : Ui ^ Vi\\. 

The support of a vector m e is defined to be the set 
supp(it) = {« G [n] : Ui 7^ 0}. The (Hamming) weight of 
a vector u, denoted wt(tt), is defined to be |supp(tt)|, the 
number of nonzero coordinates of u. 

A A:-dimensional subspace C of F^' is called a linear 
[n, /c, d]q (g-ary) code if the minimum distance of C, 

d(C) = mill d{u,v) , 
uec, vec, u^v 

is equal to d. Sometimes we may use the notation [n, k]q for 
the sake of simplicity. The vectors in C are called codewords. It 
is easy to see that the minimum weight of a nonzero codeword 
in a linear code C is equal to its minimum distance d(C). A 
generator matrix G of an [n, fc]g-code C is a fc x n matrix 
whose rows are linearly independent codewords of C. Then 
C = {yG : y G F^^}. 
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The dual code or dual space of C is defined as = {it G 
F^' : uc^ — for all c G C}. The minimum distance of C^, 
d{C^), is called the dual distance of C. 

The following upper bound on the minimum distance of a 
g-ary linear code is well-known (see ||23l Chapter 1). 

Theorem 2.1 (Singleton bound): For an [n, fc, d]g-code, we 
have d < n — k + 1. 

Codes attaining this bound are called maximum distance 
separable (MDS) codes. For a subset of vectors 

{cW,c(2),...,cW}CF^, 

define its linear span over F^: 

span, ({cW,c(2),...,cW})^ 

|^a,c« : a, eF„ ^e [fc]| . 
We use e, = (0, . . . , 0, 1, 0, . . . , 0) G F;^ to denote the 

i—l n~i 

unit vector, which has a one at the ith position, and zeros 
elsewhere. We also use I„, n G N, to denote the nxn identity 
matrix. 

We recall the following well-known result in coding theory. 

Theorem 2.2 ( l[24]l . p. 66): Let C be an [n,k,d]q-code 
with dual distance d'^ and M denote the q'^ x n matrix whose 
q'^ rows are codewords of C. If r < — 1 then each r-tuple 
from ¥q appears in an arbitrary set of r columns of M exactly 
q'^~^ times. 

For a random vector Y = {Yi,Y2, . . . ,Yn) and a subset 
B = {ii, 12, . . . , ife} of [n], where ii < i2 < ■ ■ ■ < ib, let Yb 
denote the vector (Y^j ^Yi^, . . . ,Yi^). For an n x fc matrix M, 
let Mi denote the ith row of M, and M[j] its jth column. 
For a set £^ C [n], let Me denote the \E\xk submatrix of M 
formed by rows of M which are indexed by the elements of 
E. For a set F C [fc], let M[F] denote the ti x |F| submati-ix 
of M formed by columns of M which are indexed by the 
elements of F. 

Let X and Y be discrete random variables taking values 
in the sets and Ey, respectively. Let Pi{X = x) denote 
the probability that X takes a particular value x G Sx- Let 
H(X), H{X\Y), \{X;Y), and \{X;Y\Z) denote the (binary) 
entropy, conditional entropy, mutual information, and condi- 
tional mutual information (see ||251 for the background). 

III. Index Coding and Some Basic Results 

The Index Coding with Side Information (ICSI) problem 
considers the following communications scenario. There is a 
unique sender (or source) S, who has a vector of messages 
X = {xi,X2, ■ . ■ ,Xn) G F^"^ in his possession, which is a 
realized value of a random vector X — {Xi, X2, . ■ ■ , Xn). 
Xi , X2 , • • ■ , Xn hereafter are assumed to be independent 
uniformly distributed random variables over F^. There are 
also m receivers Ri, R2, . . . , Rm- For each i G [m], Ri has 



some side information, i.e. Ri owns a subset of messages 
{xj}j^Xi, ^ [n]. In addition, each Ri, i G [m], is 
interested in receiving the message xjf^i^, for some demand 
function f : [m] — > [n]. Here we assume that f{i) ^ Xi 
for all i G [m]. Let X — {Xi, X2, . . . , Xm). An instance of 
the ICSI problem is given by a quadruple (m, n, X, /). Here 
we assume that every receiver requests exactly one message. 
This assumption is not a limitation of the model, as we can 
consider an equivalent problem by splitting each receiver who 
requests multiple messages into multiple receivers, each of 
whom requests exactly one message and have the same set of 
side information (see [IJ, [6J). 

Definition 3.1: An index code over F, for an instance 
(rn, n, X, /) of the ICSI problem, referred to as an 
(m, n, X, ,f)-lC over F,, is an encoding function 

such that for each receiver Ri, i ^ [to], there exists a decoding 
function 

: F^ xFl-^'l -^F, , 

satisfying 

Va; gF;^ : T),{e{x),xx,) = Xf(^,) . 

The parameter N is called the length of the index code. In 
the scheme corresponding to this code, S broadcasts a vector 
(B{x) of length N over F,. 

Definition 3.2: An index code of the shortest possible 
length is called optimal. 

Definition 3.3: A linear index code is an index code, for 
which the encoding function € is a linear transformation over 
¥q. Such a code can be described as 

Vx G F;' : (B{x) = xL , 

where i is an n x matrix over F,. The matrix L is called 
the matrix corresponding to the index code €. We also refer 
to € as the index code based on L. Notice that the length of 
£ is the number of columns of L. 

Let E C [ri] and u G W^. In the sequel, we write u <\ E 
if supp(tt) C E. Intuitively, this means that if some receiver 
knows Xj for all j E E (and also knows u), then this receiver 
is also able to compute the value of xu^. 

Hereafter, we assume that the sets Xi, for all i G [to], are 
known to S. Moreover, we also assume that the index code £ 
is known to each receiver Ri, i G [m]. In practice this can be 
achieved by a preliminary communication session, when the 
knowledge of the sets Xi, for all i G [m], and of the code £ 
are disseminated between the participants of the scheme. 

Let C{L) = spanq({L[j]^}jg[jv])> the subspace spanned 
by the (transposed) columns of L. The following lemma was 
implicitly formulated in [6| for the case where m ~ n, 
f{i) = i for all i G [to], and q = 2. This lemma specifies a 
sufficient condition on C(i) so that a receiver can reconstruct 
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a particular message. We reproduce this lemma with its proof 
in its general form for the sake of completeness of the 
presentation. 

Lemma 3.1: Let i be an n x iV matrix over F^. Assume 
that S broadcasts xL. Then, for each i E [to], the receiver 
Ri can reconstruct a;y(j-) if there exists a vector u'*) e F^' 
satisfying 

1) ttW < X,; 

2) +ey(,) eC(Z:). 

Proof: Assume that tt''^ <l Xi and it'') + ey(i) G C(i). 
Since tt^*) + £ C(L), there exists (3 e¥^ such that 

By taking the transpose and pre-multiplying by x, we obtain 

x{u^'^ +ej^,^f = {xL)f3^. 

Therefore, 

Xf^,) = a7ej(,-| = {xL)l3^ - a^itW^. 

Observe that Ri is able to find m'*^ and /3 from the knowledge 
of L. Moreover, Ri is also able to compute xu'^^^ since 
M*^*^ < Xi. Additionally, Ri knows xL, which is transmitted 
by 5. Therefore, Ri is able to compute ■ 

Remark 3.2: It follows from Lemma ITTI that L corresponds 
to a linear (m, n, X, /)-IC over Fg if C{L) D span^dtt''' + 
^/(i)}«e[m])^ for some u.''^ <l Xi, i e [to]. We show later in 
Corollarv l4.5l that this condition is also necessary. Finding such 
an L with minimal number of columns by careful selection of 
M^'''s is a difficult task (in fact it is NP-hard to do so, see |6|, 
ifTSl '). which, however, yields a linear coding scheme with the 
minimal number of transmissions. 

IV. Block Secure Linear Index Codes 
A. Block Security and Weak Security 

In this section, we assume the presence of an adversary A 
who can listen to all transmissions. Assume that S employs 
a linear index code based on L. The adversary is assumed 
to possess side information {xj}j^xA' where X^ C [n]. For 
short, we say that A knows (or possesses, owns) xxj^- The 
strength of A is defined to be \Xa\. Denote Xa ~ {[n]\XA). 
Note that by listening to S, the adversary also knows s — 
€{x) = xL. We define below several levels of security for 
linear index codes. 

Definition 4.1: Suppose that the sender S possesses a vector 
of messages x £ F^, which is a realized value of a random 
vector X — (Xi, X2, . . . , X„), whose coordinates Xi, i G 
[n], are all independent and uniformly distributed over ¥q. An 
adversary A possesses xx^^ - Consider a linear (m, n, X, f)-lC 
over ¥q based on L. 

1) For B C Xa, the adversary is said to have no information 
about a;^ if 

H{Xb\XL,Xxa)^H{Xb). (1) 



In other words, despite the partial knowledge on x 
that the adversary has (his side information and the 
transmissions he eavesdrops), the symbols x b still looks 
completely random to him. 

2) The index code is said to be b-block secure against Xa 
if for every 6-subset B C Xa, the adversary has no 
information about xb- 

3) The index code is said to be b-block secure against all 
adversaries of strength t (0 < i < n — 1) if it is 6-block 
secure against Xa for every Xa C [n], \Xa\ = t. 

4) The index code is said to be weakly secure against 
Xa if it is 1-block secure against Xa- In other words, 
after listening to all transmissions, the adversary has no 
information about each particular message that he does 
not possess in the first place. 

5) The index code is said to be weakly secure against all 
adversaries of strength t (0 < t < 71 — 1) if it is weakly 
secure against Xa for every i-subset Xa of [n]. 

6) The index code is said to be completely insecure against 
Xa if an adversary, who possesses {xi}i^xA^ by listening 
to all transmissions, is able to determine Xi for all i G Xa- 

7) The index code is said to be completely insecure against 
any adversary of strength t (0 < t < n — 1) if an 
adversary, who possesses an arbitrary set of t messages, is 
always able to reconstruct all of the other n — t messages 
after listening to all transmissions. 

Remark 4.1 : Even when the index code is 5-block secure 
(6 > 1) as defined above, the adversary is still able to 
obtain information about dependencies between various Xi's 
in Xa (but he gains no information about any group of b 
particular messages). This definition of 6-block security is 
a generalization of that of weak security (see ll26l . ll27l ). 
Obviously, if an index code is 6-block secure against Xa 
(b > 1) then it is also weakly secure against Xa, but the 
converse is not always true. 

B. Necessary and Sufficient Conditions for Block Security 

In the sequel, we consider the sets B C [n], B ^ 0, and 
E C [n], E ^ 0. Moreover, we assume that the sets Xa, 
B, and E are disjoint, and that they form a partition of [n], 
namely Xa U B U E ^ [n\. In particular, Xa = B U E. 

Lemma 4.2: Assume that for all u<Xa and for all ai G F^, 
i E B (not all a^'s are zeros), 

u + Y,o^^e^iC{L). (2) 

ieB 

Then, 

1) for all i G B: 

Li G spang{{Lj}j^E); (3) 

2) the system 

yLs = wLb (4) 

I E I 

has at least one solution y G Fg for every choice of 

w G f'^I. 
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Proof: 

1) If rankg(i£;) = N then the first claim follows immedi- 
ately. Otherwise, assume that rankq(L£) < N. As the 
N columns of Le are linearly dependent, there exists 
y e F^\{0} such that yL% = 0- 

• If for all such y and for all j G B we have 
yLj = 0, then e ((span,({L,},es))^)^ = 
span^dijIjgE) for all i e _B. 

• Otherwise, there exist y G and i £ B such that 

— and yLf ^ 0. Without loss of generality, 
assume that 



Let c = yL'^ G C(X). 

C = (ca'.4|cb|c£;; 



is 
Then 



T 
Xa 



yLll-rT^ 



\yLl). 



Hence cb = yL^ ^ and ce = yL^ = 0. Let 
u = {cxa |0|0) <J '^a and a; = q for all i G B. Then 
tti's are not all zero and u+J^ieB '^i^i = c G C{L), 
which contradicts (|2]l. 
2) By (O, each row of is a linear combination of rows 
of Le- Hence wLb is also a linear combination of rows 
of Le- Therefore, (|4) has at least one solution. 



While Lemma 13.11 does not discuss security, it provides 
sufficient conditions for successful reconstruction of the infor- 
mation by a legitimate receiver Ri. Obviously, the legitimate 
receiver i?, can be replaced by an adversary A in the formula- 
tion of that lemma. Thus, the conditions in Lemma [TTI can be 
viewed as sufficient conditions for absence of weak security 
with respect to this A. 

In Lemma |431 which appears below, we show that the same 
conditions are also necessary (for the absence of information 
security with respect to the adversary A). However, similarly, 
A can be replaced by a legitimate receiver Ri in the formu- 
lation of Lemma 14.31 Thus, this lemma also provides both 
necessary and sufficient conditions for successful reconstruc- 
tion of the information by the legitimate receiver Ri. 

Additionally, in Lemma 14.31 the weak security is further 
generalized to block security. 

Lemma 4.3: Let i be an n x matrix over F^. Assume 
that S broadcasts xL. For a subset B C A'a, an adversary 
A who owns xx^, after listening to all transmissions, has no 
information about xb if and only if 



Vtt < Xa, '^cti G F„ with ai,i G B, not all zero: 



M + ^ UiEi ^ C{L). 

ieB 



(5) 



In particular, for each i G X^, A has no information about Xi 
if and only if 

\/u<iXA ■■ u + e, iC{L). 



Proof: Assume that Q holds. We need to show that 
H{Xb\XL,Xxa) = H(Xb). It suffices to show that for 
allgGF'^l: 



Pr(XB ^g\XL = s, Xx^ 
where s — xL for some a; G F". 



1 



(6) 



Consider the following linear system with the unknown z G 



F« 




XX. 



which is equivalent to 

' zb = g 

ZXa = XXa ■ (7) 

ZeLe = S-qLb-XXaLxa 

In order to prove that (|6) holds, it suffices to show that for 
all choices of g G F,^', (|7]i always has the same number of 
solutions z. Notice that the number of solutions 2 of (|7|i is 
equal to the number of solutions ze of 



zeLe = s - qLb - xxaLxa, (8) 

where s, g, and xx^ are known. For any g G f!;^', if (O has a 
solution, then it has exactly q|s|-rankg(i,is) different solutions. 
Therefore, it suffices to prove that (|8) has at least one solution 
for every g G F,^'. 

Since x is an obvious solution of (|7]l, we have 



XeLe = S - XbLb - XXaLxa- 

Subtract (|9]l from (|8) we obtain 

{ze - Xe)Le = {xb - g)LB, 
which can be rewritten as 

yLE = wLb, 



(9) 



(10) 



where y = ze — xe, w = xb — g. Due to Lemma ( fTot 
always has a solution y, for every choice of w. Therefore dS) 

I B I 

has at least one solution for every g G Fg ' . 

Now we prove the converse. Assume that (|5]l does not hold. 
Then there exist u<]Xa and a; G F^, i E B, where a^'s, i E B 
are not all zero, such that 

aiBi = c u , 

for some c G C{L). Hence, similar to the proof of Lemma 
13.11 the adversary obtains 

aiXi = a; I ^ UiEi I 
ieB \ieB ) 

= x{c — u)^ 

T T 
= XC — XU . 
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Note that the adversary can calculate a;c-^ from s, and can also Suppose that m^*' <l Xi for all i £ [n]. Let A = {ai_j) be 

find xu^ based on his own side information. Therefore, A is the n x n matrix whose ith row is precisely tt'*^ + e^, for 

able to compute a nontrivial linear combination of x^'s, i G B. each i £ [n]. Then A fits Q. Conversely, if A' fits Q then by 

Hence the entropy H{X b\X L, X Xa) < H(Xb). Thus, the multiplying each row of A' with a suitable nonzero constant 

adversary gains some information about the xb- ■ (which does not change the rank of A'), one obtains a matrix 

A which is of the aforementioned form. In other words, for 

Corollaiy 133] generalizes Lemma O by providing both each i G [n], the ith row of the resulting matrix A equals 

necessary and sufficient conditions for a receiver's ability to + for some <] Xi. Therefore, Kg defined above is 

recover the desired message. (Note that this corollary can be indeed the minimum rank over of a mati'ix which fits the 

equally applied to the legitimate receiver Ri as well as to the side information graph g. Thus, Kg is precisely the min-rank 

adversai-y A.) over of g. ■ 



Corollary 4.4: Let X be an n x TV matrix over and let 
S broadcast xL. Then for each i G [m], the receiver Ri can 
reconstruct a;j(i) if and only if there exists a vector u'*-' £ F^* 
such that 

1) ttW < X,; 

2) mW +e/(,) gC(L). 

Corollary 4.5: The matrix L corresponds to a linear 
{m,n, X , f)-lC over Fg if and only if for all i G [m], there 
exists a vector it^'^ G F^ satisfying 

1) < X,; 

2) +e/(,) eC{L). 

Remark 4.6: It follows from Corollary 14.51 that L corre- 
sponds to a linear (m, n, X, f)-lC over Fg if and only if 
C{L) D spang({M(') + e/(i)}ig[„]), for some m^*) < A;, 
i G [m]. If we define 

Kg = Kg(m,n,X,f) 

= min{ ran kg +e^(,) : G F^, < A",}, 

(11) 

then Kg is the shortest possible length of a linear (to, n, A", /)- 
IC over Fg. 

Corollary 4.7: The length of an optimal linear 
(to, n, A", /)-IC over Fg is Kg ~ Kq{in, n, X, /). 

Remark 4.8: The quantity Kg defined in (fTTT l is precisely 
the min-rank over Fg of the side information graph of an ICSI 
instance in the case m — n and f{i) = i for all i G [n]. 

Idea of the proof: Recall that in [6J, the side information 
graph g of an instance of the ICSI problem is defined by 
g = {Vg,£g), where Vg = [n] and 

£g = {e = : i,j G [n], j G X,}. 

A matrix A over Fg is said to fit g ( ||28l ) if 

flj J ^0, if i= j, 
at J =0, if i ^j, ^ £g. 

Then the min-rank of the side information graph g is defined 
by 

min{rankg(A) : A fits g}. 



Theorem 4.9: Consider a linear (m, n, X, /)-IC over Fg 
based on L. Let d be the minimum distance of C{L). 

1) This index code is (d — 1 — t)-block secure against all 
adversaries of strength t < d—2. In particular, it is weakly 
secure against all adversaries of strength t — d — 2. 

2) This index code is not weakly secure against at least one 
adversary of strength t — d—1. Generally, if there exists 
a codeword of C{L) of weight w, then this index code 
is not weakly secure against at least one adversary of 
strength t — w — 1. 

3) Every adversary of strength t < 1 is able to determine 
a list of q''^-*--^ vectors in Fg which includes the vector 
of messages x. 

Proof: 

1) Assume that t < d—2. By Lemma |431 it suffices to show 
that for every t-subset Xa of [n] and for every (d—l—t)- 
subset B of Xa, 

Mu <\ Xa, ycti G Fg with ai,i E B, not all zero : 
u + ^a^e, ^ C{L). 

For such u and a^'s, we have wt(tt + J2ieB "^i^i) ~ 
\Nt{u) + wtiY^.^B a^e^) <t+{d~l-t)=d~l<d. 
Moreover, as supp(M) r\ B — and a/s, i £ B, sae 
not all zero, we deduce that u + J^ieB '^i^i 0- We 
conclude that u + X^ies cm^i ^ C{L). 

2) We now show that the index code is not weakly secure 
against at least one adversary of strength t = d — \. The 
more general statement can be proved in an analogous 
way. 

Pick a codeword c = (ci, C2, . . . , c„) G C{L) such that 
wt(c) = d and let supp(c) = {11,12, ... , id]- Take Xa = 
{ii,i2, ■ ■ ■,id-i}, \Xa\ = d - 1. Let 

u = (c/q, - e^J . 

Then, u <] Xa and m + e^^ = c/q^ G C{L). By Lemma 
13.11 A is able to determine Xi^. Hence the index code is 
not weakly secure against the adversary A, who knows 
rf — 1 messages x^'s in advance. 

3) Let s = xL. Consider the following linear system of 
equations with unknown 2; G F^ 

zL = s ' 
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which is equivalent to 



^^Xa^Xa ~ * ~ ^Xa'^'Xa 



(12) 



The adversary A attempts to solve this system. Given 
that s and xxa ^re known, the system (fTzl i has n — t 
unknowns and iV equations. Note that t < d — 1, and 
thus by applying Theorem 12. II to C{L) we have n — t > 
n-d+1 > N. If rank,(i^^) = TV then ([l2ll has exactly 
qii-t-N solutions, as required. 

Next, we show that rankq(i^^) = N. Assume, by 
contrary, that the N columns of L^^, denoted by 
c^^\ c^^\ . . . , c'-^\ are linearly dependent. Then there 
exist /3i G ¥q, i e [N], not all zero, such that 
Eti /^^c(^) - 0. Let 

N 

c = J2l3^m^C{L)\{0} . 

(Recall that denotes the ith column of V). Then 
and hence wt(c) = wt(c;f^) < 



'Xa 



t < d — 1. This is a contradiction, which follows from 
the assumption that the iV rows of are linearly 

dependent. 



Example 4.1: Let q = 2. Assume that Xa = and that 
Xi ^ for all i e [m]. For each i G [m] choose some 
ji G Ai. Let L be the binary matrix whose columns form a 
basis of the space C{L) — span^({ej. + ej(i)}ig[,„]). Then 
d(C(i)) = 2. Since t ^ \Xa\ ^ we have d-l - t ^ 
1. Therefore by Theorem 14.91 the index code based on L is 
weakly secure against A. Moreover, if C{L) is nontrivial then 
L has N<n — d = n — 2 columns. In other words, in 
that case, the index code based on L requires at most n — 2 
transmissions. 

C. Block Security and Complete Insecurity 

Theorem |4j9] provides a threshold for the security level of a 
linear index code based on L. If A has a prior knowledge of 
any t < d — 2 messages, where d = d(C(X)), then the scheme 
is still secure, i.e. the adversary has no information about any 



group of d — 1 — t particular messages from {xj}-^^^. On 
the other hand, the scheme may no longer be secure against 
an adversary of strength t — d — 1. The last assertion of 
Theorem 14.91 shows us the difference between being block 
secure and being strongly secure. More specifically, if the 
scheme is strongly secure, the messages x^^, which are not 
leaked to the adversary in advance, look completely random 
to the adversary, i.e. the probability to guess them correctly is 
l/g""*. However, if the scheme is (d—l—t) -block secure (for 
t < d~2), then the adversary is able to guess these messages 
correctly with probability l/<?"~*~^. 

For an adversary of strength t > d, the security of the 
scheme depends on the properties of the code employed, in 
particular, it depends on the weight distribution of C{L). From 



Theorem 14.91 if there exists c G C{L) with wt(c) = w, then 
the scheme is not weakly secure against some adversary of 
strength t = w — l. In general, the index code might still be (b- 
block or weakly) secure against some adversaries of strength 
t for t > d. While we cannot make a general conclusion on 
the security of the scheme when the adversary's strength is 
larger than d — 1, Lemma |43] is still a useful tool to evaluate 
the security in that situation. However, as the next theorem 
shows, if the size of Xa is sufficiently large, then A is able 
to determine all the messages in {xj}^^^^. 

Theorem 4.10: The linear index code based on L is com- 
pletely insecure against any adversary of strength t > n — 
d^ + 1, where d-^ denotes the dual distance of C{L). 

Proof: Suppose the adversary knows a subset {xj}j^xA' 
Xa C [n] md \Xa\ ^ t > n - d^ + 1. By Corollary El 
it suffices to show that for all j G Xa, there exists m G 
satisfying simultaneously u <] Xa and u + ej G C{L). 

Indeed, take any j G Xa, and let p = n — t < d^ — 1. 
Consider the p indices which are not in Xa- By Theorem l2.2l 
there exists a codeword c G C{L) with 

= J, 

^XaU{j} ■ 

Then supp(c) C XaU {j}. We define m G such that 
u < Xa, as follows. For £ G Xa, we set ue — q, and for 
£ ^ Xa, we set Ui = 0. It is immediately clear that c = u+Bj. 
Therefore, by Corollary 14.41 the adversary can reconstruct Xj . 
We have shown that the index code is completely insecure 
against an arbitrary set Xa satisfying \Xa\ > n — d^ + 1, 
hence completing the proof. ■ 

When C{L) is an MDS code, we have n~d^+l — 1, and 
hence the two bounds established in Theorems 14.91 and 14.101 
are actually tight. The following example further illustrates the 
results stated in these theorems. 

Example 4.2: Let n — 7, m — 7, q — 2, and f{i) = i for all 
i G [to]. Suppose that the receivers have in their possession 
sets of messages as appear in the third column of the table 
below. Suppose also, that the demands of all receivers are as 
in the second column of the table. 




Receiver 


Demand 


{^j}^<^x. 


Ri 


Xl 


{a;6,X7} 


i?2 


X2 


{x->,X7} 


i?3 


X3 




i?4 


X4 


{a;5,a;6,a;7} 


i?5 




{XI,X2, X(i} 


i?6 


xe 


{a;i,a:3,a;4} 


i?7 


Xj 


{a;2,X3,a;6} 



For i G [7], let G F^ such that supp(M(*)) = X,. 
Assume that an index code based on L with C{L) — 
span^dit^*' +^i}ie[i\) is used. For instance, we can take L to 
be the matrix whose set of columns is {L[i\ = m^'^ + ei}ig[4]. 



g 



It is easy to see that C{L) is a [7, 4,3]2 Hamming code with 
d = 3 and = 4. 

Following the coding scheme, S broadcasts the following 
four bits: 

si ^ a;(M(i) + ei)"^, 

52 = a;(M(2) + 62)"^, 

53 = x{u'-'^^ + 63)"^, 

54 = a?(M(4) + 64)^. 

Each i e [7], can compute a;(u.(*) + e^)-^ by using a 
linear combination of si, S2, S3, S4. Then, each Ri can subtract 
a;u,'*^ (his side information) from a;(tt'*) + e^)-^ to retrieve 

T 

For example, consider i?5. Since 

aj^M^^^+es) a; (^(m*^) +ei) + (tt*^) +62)) = S1+S2, 
_R5 subtracts xi + X2 + from si + S2 to obtain 

(Sl + S2) - {Xl +X2+ Xfi) 

= {xi +X2+ X5 + xe) - {xi + X2 + xe) 

If an adversary A has a knowledge of a single message Xi, 
then by Theorem 14.91 A is not able to determine any other 
message xe, for £ i. Indeed, d{C{L)) = 3, while t = 1, the 
code is weakly secure against all adversaries of strength t = 1. 
If none of the messages are leaked, then the adversary has 
no information about any group of 2 messages. On the other 
hand, the code is completely insecure against any adversary 
of strength < > 4; in that case A is able to determine the 
remaining 7 — t messages. 

Remark 4.1 1 : So far we only discuss the case when the 
adversary can listen to all N transmissions. If we consider an 
adversary, which can eavesdrop at most ^ {p. < N) messages, 
then analogous results can also be obtained. Consider a linear 
index code based on L. Let 

d^,^mm{d{C{L[W])) : W C[N], \W\=n], 

and 

dj, =min{6{{C{L[W]))^) : W (Z[N], \W\=ii]. 

Then it is straightforward to see that the results in Theo- 
rems 14.91 and 14.101 still hold, with d and being replaced 
by d^ and d^, respectively. 

D. Role of the Field Size 

The following example demonstrates that the use of index 
codes over larger fields might have a positive impact on the 
security level. More specifically, in that example, index codes 
over large fields significantly enhance the security, compared 
with index codes over small fields. 

Example 4.3: Suppose that the source S has n messages 
xi,X2, ■ . ■ ,Xn. Assume that there are m < n receivers 
Ri, R2, . ■ . , Rm, and each receiver Ri has the same set of 



side information, Xi = {m + 1, m + 2, . . . , n}. Assume also 
that each Ri requires Xi, for i G [m]. 

Any index code for this instance must have length at least 
m, since all the vectors m^*) +6^, for some tt'*) <iXi, i G [m], 
are linearly independent over any field. 

If we employ an index code over F2, by the fact that 
there are no nontrivial binary MDS codes, we deduce that 
the minimum distance d of C{L) is at most n ~ m. Hence 
index codes over F2 is not secure against some adversaries of 
strength t = n — m — 1. However, if we consider index codes 
over ¥q for sufficiently large q {q > n—1), there exists a g-ary 
MDS code C with minimum distance exactly n — m + 1. By 
choosing L so that C{L) = C, the index code based on L is 
secure against all adversaries of strength at most t = m— 1, 
which is strictly more secure than the those over F2. To find 
such an L, let M — (/„ |P) be a generator matrix in standard 
form of an [n, m]q-MDS code, and then take L — . Then 
L[i\ = M^^^+e^*), for some it^*) <\Xi — {m+1, m+2, . . . , n}, 
i G [m]. Therefore, by Corollary 14. 5J L corresponds to a linear 
index code for this instance. 

Note that if we employ an index code over F2, then for 
large values of n the minimum distance d of C{L) is bounded 
from above by the sphere-packing bound 

d<2n- (H-i(l -m/n) - e), 

where e as n ^> 00. There is a variety of stronger upper 
bounds on the minimum distance of binary codes, such as the 
Johnson bound, the Elias bound, and the McEliece-Rodemich- 
Rumsey-Welch bound (see l29^, Chapter 4.5] for more details). 
These bounds provide even stronger bounds on the security of 
the binary scheme for this instance of the ICSI problem. By 
contrast, as shown above, by using a g-ary MDS code, the 
distance d of C{L) can achieve the Singleton bound. It is well 
known that there is a significant gap between the Singleton 
bound and the sphere-packing bound (see 1291 p. Ill] for 
details). Therefore, for this instance of the ICSI problem, index 
codes over large fields provide significantly higher levels of 
security than those over binary field. 

E. Application: Index Coding with Side and Restricted Infor- 
mation 

In this section, we consider an extension of the ICSI 
problem, which we call the Index Coding with Side and 
Restricted Information (ICSRI) problem. This problem arises 
in applications such as audio and video-on-demand. Consider 
a chent who has subscribed for certain media content (audio 
or video programs, movies, newspapers, etc.) At the same 
time, this client has not subscribed to some other content. The 
content provider wants to restrict this client from obtaining a 
content which he is not eligible for, even though he might be 
able to obtain it "for free" from the transmissions provided 
by the server As we show in sequel, the solution for the 
ICSRI problem is a straight-forward application of the results 
in Corollary 1441 

More formally, the arguments of an instance (m, n, X, Z, f) 
of the ICSRI problem are similar to their counterparts for 
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the ICSI problem. The new additional parameter, Z = 
(Zi, Z2, . . . , Zjn), represents the sets Zi C [n] of message in- 
dices that the respective receivers Ri, i ^ [m], are not allowed 
to obtain. The goal is that at the end of the communication 
round, the receiver Ri has the message xj(i) in its possession, 
for all i G [m], and it has no information about Xj for all 
i G Zi. The notion of a linear (m, n, A", /)-IC over Fg is 
naturally extended to that of a linear (m, n, X, Z, /)-IC over 
F 

Let 

m 

F{m, n, X, Z, /) = 1^ {m + : tt < A',;, j G Zi} . 

i=l 

The following proposition provides a necessary and sufficient 
condition for a linear index code to be also a solution to an 
instance of the ICSRI problem. 

Proposition 4.12: The linear (m, n, X, /)-IC over F^ based 
on L is also a linear (to, n, X, Z, /)-IC if and only if C{L) D 
Tim,n,X,ZJ) = 0. 

Proof: Let S employ the (m, n, X, f)-lC over ¥q based 
on L. Then clearly _Ri can recover for all i G [to]. Due 
to Lemma 14.31 for each i G [to] and j G Zi, Ri has no 
information about Xj if and only if 

Wu<\X, : u + Bj i C{L). 

Hence we complete the proof. ■ 

Example 4.4: Consider an instance (to, n, X, Z, /) of the 
ICSRI problem where m, n, X, and / are defined as in 
Example 14.21 Moreover, let Z = (Zi, Z2, . . . , Z7), where 
Zi = {2,3,4,5}, Z2 = {1,3,4,6}, Z3 = {1,2,4,7}, and 
Z4 = Z5 = Zg = Z7 = 0. Consider the index code 
based on L constructed in Example 14.21 It is straightforward 
to verify that C{L) n J^{m,n, X, Z, f) = 0. Therefore, by 
Proposition 14.121 this index code also provides a solution to 
this instance of the ICSRI problem. 

Let 

l^*q = 'i*q{^hn,X,Z,f) 

= min{rankg({MW + ey(,;)},g[,„])}, 

where the minimum is taken over all choices of it*^*^ <l Xi, 
i G [m], which satisfy 

span^ ({"**-' + e/(j)}je[™]) r\T{m,n,X,Z,f) = 0. (13) 

Let K* = +00 if there are no choices of m'^^^'s, i G [m], which 
satisfy (fT3] l. The following proposition follows immediately. 

Proposition 4.13: The length of an optimal linear 
(to, n, <¥, Z, /)-IC over Fg is k*. If k* — +00 then there 
exist no linear (to, n, X, Z, /)-ICs over Fg. 



V. Strongly Secure Index Codes with Side 
Information 

In this section, we consider a different model of adversary. 
Similarly to its counterpart in Section |IV] the adversary A in 
this section owns some prior side information. Additionally, 
A can listen to /i < TV transmissions of S. It can also corrupt 
some transmissions of 5*, received by any of Ri, i ^ [to]. 

We start the analysis with some basic definitions of error- 
correcting index codes. This type of index codes was studied 
very recently by the authors of this paper in ll30l . We repeat 
some basic results for the sake of completeness. 

A. Error-Correcting Index Codes 

Assume that some of the symbols received by Ri, i G [to], 
are in error Consider an ICSI instance (to, n, X, /), and 
assume that S broadcasts a vector €{x) G F^. Let G F^ 
be the error affecting the information received by Ri, i ^ [to]. 
Then Ri actually receives the vector 

y«-G:(a;)+^(''GFf , 

instead of €{x). The following definition is a generalization 
of Definition irn 

Definition 5.1: A 6-error-correcting index code over Fg for 
an instance (to, n, X, f) of the ICSI problem, referred to as 
a 5-error-correcting {m,n, X , f)-lC over Fg, is an encoding 
function 

such that for each receiver Ri, i ^ [to], there exists a decoding 
function 

2), : xFl^-^'l ^Fg , 

satisfying 

Va;,^« G F;\ wt(^W) < 6 : 2),(e(a;)+|«,a;;,J = . 

The definitions of the length, of a linear index code, and of the 
matrix corresponding to an index code are naturally extended 
to (5-error-correcting index codes. 

We define the following sets 

I{q,m,n,X, f) 

= {z e F^' : Eli G [to] such that = and zj(,j) ^ 0}. 
For each i G [to] we also define 

y. = [n]\[{fiz)}UX?). 

Then the collection of supports of all vectors in 
I{q, TO, n, X, f) is precisely 

J{m,n,X,f)= y {{f{i)}UY,:Y,cy,y (14) 

i £ [m] 

The necessary and sufficient condition for a matrix L to 
correspond to a linear (5-error-correcting index code is given 
in the following lemma. 
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Lemma 5.1: The matrix L corresponds to a linear (5-error- 
correcting (m, n, X, /)-IC over Fg if and only if 

\Nt{zL) > 2(5 + 1 for all z e m, n, A", /). (15) 

Equivalently, L corresponds to a linear (5-eiTor-correcting 
(m, /Y, /)-IC over if and only if 

wt ( ^ z,L, ] > 25 + 1, 

for all K G J{m, n, X, f) and for all choices of nonzero 

Zi e¥q, i e K. 

Proof: For each a; e F^, we define 

B{x, 5) = {c e F;' : c = xL + t wt(|) < (5, | £ F^}, 

the set of all vectors resulting from at most 5 errors in the 
transmitted vector associated with the information vector x. 
Then the receiver i?^ can recover Xf^i) correctly if and only 
if 

B{x,5)r^B{x' ,5) = 0, 
for every pair x,x' £ F^ satisfying: 

= x'xi and ^ 

Therefore, L correspond to a linear (5-error-correcting 
(rn, n, /)-IC over F^ if and only if the following condition 
is satisfied: for all i G [m] and for all x,x' G such that 
xxi — x'p^. and 7^ ^/(i)' holds 

Vei'eFf, wt(0<5, wt(r)<<5 : 

a;i + ^ 7^ a;'L + ^' . (16) 

Denote z = a;' — a;. Then, the condition in (fTSI l can be 
reformulated as follows: for all i G [n] and for all 2: G 
such that = and ^ 0, it holds 

VC,|' G Ff , wt($) < 5, wt(l') <5 : zL^ . (17) 
The equivalent condition is that for all z G I{q, m, n, X, /), 

wt{zL) > 2(5 + 1 . 
Since for z G m, n, A", /) we have 
zL = ^ Ziii, 

ie5upp(z) 

the condition ( fTSl l can be restated as 

wt ( ^ z,L, ] > 25 + 1, 
for all K G J{m, n, X, f) and for all choices of nonzero 

Zi e¥q, i e K. ■ 

The next corollary follows directly from Lemma 15.11 by 
considering an error-free setup, i.e. (5 = 0. It is easy to verify 
that the conditions stated in this corollary and in Corollary 14.51 
are equivalent, as expected. 



Corollary 5.2: The matrix L corresponds to an 
(rn, n, A", /)-IC over F^ if and only if 




for all K G J{m^ n, X, /) and for all choices of nonzero 

Zi e¥q, i e K. 

B. A Lower Bound on the Length 

We start this section with a generalization of the definition 
of index codes to randomized index codes. Consider 77 G N 
random variables Gi, G2, . . . , G^, which are distributed inde- 
pendently and uniformly over Fg. Let G = (Gi, G2, . . . , G,,) 
and let g = (51, 52, • ■ • , ffr;) be a realization of G. 

Definition 5.2: An rj-randomized (m, n, X, f)-IC over ¥q 
for an instance (m, n, X, /) is an encoding function 

(f : f;' X f;' ^ F^ , 

such that for each receiver Ri,i£ [to], there exists a decoding 
function 

D, : F^ xFI-^'I ^F, , 

satisfying 

for any g G F^', which is a realization of the random vector 
G. 

The definition of a (5-error-correcting index code can be 
naturally extended to that of a (5-error-correcting randomized 
index code. We simply replace € : F^ F^ by (£ ; F'^* x 
F;^' F^, and i£(a;) by <t{x,g) in Definition O 

An //-randomized index code is linear over Fg if it has a 
linear encoding function (£, 

<E{x,g) = {x I g)L , 

where L is an {11 + r/) x N matrix over ¥q. In the se- 
quel we assume that any message Xi, i G [n] is requested 
by at least one receiver Observe that by simply treating 
xi,X2, ■ . ■ ,Xn, gi, §2, . ■ . , gjj as messages, the results from 
previous sections still apply to linear randomized index codes. 

Definition 5.3: The linear T^-randomized (to, n, A", /)-IC 
over ¥q based on L is said to be (/i, t, S)-strongly secure if it 
has the following two properties: 

1) This code is (5-error-correcting. In other words, upon 
receiving {x\g)L with at most 6 coordinates in error, the 
receiver Ri can still recover xj^^i^, for all i G [m]. 

2) This code is (/i, t)-strongly secure. In other words, an 
adversary A who possesses xx^, for Xa ^ [n], \Xa\ — t, 
and listens to at most /i transmissions, < N, gains no 
information about other messages. Equivalently, 

H{X^^ I {X\G)L[WlXx.) = H(X^J, 
for any W C [N], \W\ < fi. 
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Remark 5.3: 

1) If /i = t = 77 = 0, then a (5)-strongly secure t]- 
randomized (to, n, X, /)-IC over Fg is simply a (5-error- 
correcting (to, n, <¥, /)-IC over Fg. 

2) If (5 = 0, the index code is strongly secure, but has 
no error-correcting capability. In that case, we simply 
say that the code is "(/i, t)-strongly secure" instead of 
"(/i, t, 0)-strongly secure". 

3) A simple concatenation of an error-correcting index cod- 
ing scheme and a secure index coding scheme may not 
necessarily yield a (/i, t, (5)-strongly secure Ty-randomized 
(to, n, X, /)-IC over F,. 

In the lemma below, we assume that each message is 
requested by at least one receiver Otherwise, that "useless" 
message can be discarded without affecting the model. 

Lemma 5.4: If L corresponds to a (/i, i)-strongly secure 
linear ?7-randomized (m, n, Af, /)-IC over Fg, then rj > fi. 

Proof: We prove this lemma by contradiction. Suppose 
that L corresponds to a (/i, t, 5)-strongly secure ?7-randomized 
(to, n, X, /)-IC over Fg, and that ij < ^. Let E ~ {n + l,n + 
2, . . . ,n + T]}. 

For W C [N] let C(£[M^]) be the space spanned by columns 
of L indexed by elements of W. Then, for all W C [N] with 
\W\ < fi, it holds that 

HiX ^J{X\G)L[WlXx.) = H(X^J, 

i.e. an adversary who owns xx^ gains no information about 
after eavesdropping the transmissions corresponding to 
the set of indices W. From Lemma 14.31 with C{L) being 
replaced by C(i[VK]), we conclude that C(L[W]) does not 
contain a vector c which satisfies c^^ ^ and ce = 0. In 
the sequel, we refer to this property of C(i[W^]) as Property A. 

Let L' = [L^^yj^y^ be the matrix obtained from L by 
first deleting rows of L indexed by Xa, and then taking its 
transpose. We show that rankg(L') < /i — 1. Indeed, take 
any ^ rows of L' , denote them . . . , L'^^. Let L" be the 
submatrix of L' formed by the last 77 columns. Since 77 < /i, 
the ^ rows L'-^ , ■ ■ ■ , L'-^ are linearly dependent. Hence, there 
exist ai, a2, ■ • ■ , ct^, not all zeros, such that 

1=1 

This implies 

1=1 

due to Property A. Thus, rankg(L') < /i — 1. 
Now let r = rankg(L') < /i, and let 

be a basis of the space spanned by the rows of L' . Suppose 
that the receiver Ri requests where /(i) £ Xa- 



> On the one hand, by Corollarv l4.5l C{L) contains a vector 
c = M*^*) where m''' <\Xi. Therefore, c^; = and 

• On the other hand, there exist , , • ■ • , /5r such that 

r 

Since r < /i and c^; = 0, by Property A we have Cxa~ 
0. 

We obtain a contradiction. ■ 

Remark 5.5: From Lemma 15341 a (/i, i, (5)-strongly secure 
linear randomized index code requires at least random 
symbols. We show in Section IV-CI that there exists such a 
code that uses precisely /i random symbols. 

Lemma 5.6: Suppose that L corresponds to a linear /i- 
randomized (to, n, X, /)-IC over Fg. If this randomized index 
code is (/i, t)-strongly secure, then for all i £ [/i], there exists 
a vector v^^'^ G Fg+^ satisfying 

1) <] [n]; 

2) -uW + e„+, e C{L). 

Proof: Assume, by contradiction, that for some i e [/i], 
we have v''' + e„+i ^ C{L) for all i;^*) < [n]. Consider a 
virtual receiver, which has a side information set {xj}j^[n], 
and requests the symbol gi. By Corollary 14.41 this virtual 
receiver has no information about gi after listening to all 
transmissions. In other words, we have 

H{G,\{X\G)L,X)^H{G,) , (18) 

and, in particular, for a smaller set of side information, 

H{G,\{X\G)L,Xxa)^H{G,) . (19) 

We recall Definition 15.31 for every /i-subset W C [N] and 
every i-subset Xa CI [n], we have 

H{X^J{X\G)L[W],Xx.) = H(X^J . (20) 

In the sequel we show that if the value of Gi is known to the 
adversary, this randomized index code is still (/x, i)-strongly 
secure. In other words, we aim to show that 

HiX^JiX\G)L[W],Xx.,G,) = H(X^J , (21) 

for every /x-subset W C [N] and every t-subset Xa ^ [n]. 
Indeed, the left-hand side of (|2T]) is equal to 

H{X^JiX\G)L[WlXx.)-\iX^^;G,\{X\G)L[W],Xx.), 

which is 

H (X^J - I (X^^ ; I iX\G)L [W] ,Xx.) 
due to ( |20] |. Hence, it suffices to show that 

l(X^ -G. I {X\G)L[W],X^:,) = Q. 
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Xa> 



We have 
\{X^^-G^{X\G)L[W],Xx.) 

= H{G.\{X\G)L[W],Xx,) 

-HiG,\iX\G)L[W],Xx^,X 
= H{G,\{X\G)L[W],Xx,) 
-H{G,\{X\G)L[W],X) 
= H(G,)-H(G,) 
= , 

where the third transition is due to (ITFt and (|T9) . 

To this end, we have shown that the randomized index 
code is still (/i, <)-strongly secure if the adversary knows 
the realized value of Gi. Equivalently, discarding the random 
variable Gi from the scheme does not affect its strong security. 
However, this contradicts Lemma \5A\ since the resulting code 
has less than /i random symbols. ■ 

The following theorem proves a lower bound on the length 
of a (/i, -strongly secure linear randomized index code. 

Theorem 5.7: The length of a (/i, t)-strongly secure linear 
77-randomized (m, n, X, /)-IC over is at least Kg + fi. 

Proof: Suppose the linear randomized index code is based 
on L. We divide the proof into several cases. 

Case \: rj = ^. Then, by Corollary |43] and Lemma ls!6l the 
subspace C{L) must contain: 

• the vectors u^''^ + ef(i) for some it*^*^ <\ Xi, for 
all i G [m]; 

• the vectors v^^'> + Sn+i, for some t;^*'' <] [n], for 
all i e[n]. 

Due to linear independence of these vectors and to 
the definition of Kg, the length of the code is at least 

dim(C(i)) > rank,({M('') +e^(,)}ig[„,]) 
+ rankq({?;(') + e„+.,}jg[^]) 

> Kg+ ■ 

Case 2: ri > fi, and for all i G [rj] there exists some vector 
t>(^) < [n] such that u^^'> + e„+j G C{L). 
In this case, similarly to Case 1, we have 

dim(C(i)) > Kg + r] > Kg + fi. 

Therefore, L has at least Kg + fi columns. 
Case 3: ?/ > /i, and for some i G [r/], t)^*^ + Bn+i ^ C{L) 
for all t)^'-* < [n]. By following exactly the same 
argument as in the proof of Lemma 15.61 we deduce 
that discarding Gi does not affect the strong security 
of the randomized index code. By doing so, we 
obtain a new randomized (/i, i)-strongly secure index 
code, which has 77 — 1 random variables. This code is 
based on L', which is obtained from L by deleting 
its (n + i)-th row. 

The above argument can be applied until either the 
number of random variables decreses to fi, or the 
code in consideration satisfies the condition of Case 



2. In both cases, the resulting randomized index code 
has length at least Kg + fi. As the length of the code 
do not change during the process, we conclude that 
the length of the original code is at least Kg + fj,. 



The next theorem establishes a lower bound on the length 
of a (/i, t, (5)-strongly secure linear randomized index code. 

Theorem 5.8: The length of a (/i, (5)-strongly secure lin- 
ear ?7-randomized (m, n, X, f)-lC over ¥g is at least Kg + fi + 
25. 

Proof: Let L correspond to a (/i, i, (5)-strongly secure r]- 
randomized {m,n, X , f)-lC over Fg. Let L' be the matrix 
obtained by deleting any 25 columns of L. Since L corre- 
sponds to a (5-error-correcting index code, by Lemma 15.11 it 
satisfies 

>26 + l 

for all K G J{m, n, X, f) and all choices of nonzero Zi G Fg, 
i £ K. We obtain that the rows of L' satisfy 



> 1 



By Corollary 15.21 L' corresponds to an T^-randomized 
(m, n, X, /)-IC over ¥g. Since all entries of L' are contained 
in L, we deduce that L' corresponds to a {fi, t)-strongly 
secure 77-randomized {171,71, X , f)-lC over F^. Therefore, by 
Theorem 15.71 L' has at least Kg + fi columns. Therefore, L 
has at least Kg + fi + 26 columns. ■ 

C. A Construction of Optimal Strongly Secure Index Codes 

In this section, we present a construction of an optimal 
(/i, i, (5)-strongly secure /x-randomized linear {7n,n, X , f)-lC 
over ¥g, which has length attaining the lower bound estab- 





lished in Theoi'em l5.8l It requires q to be at least Kg+ii+26+l. 
The proposed construction is based on the coset coding 
technique, originally introduced by Ozarow and Wyner llsTI . 
This technique has been adopted in a variety of network coding 
applications, such as 1 18]-122|. 

Construction A: Let L^°^ correspond to a linear 
{m,n, X , f)-lC over ¥g of optimal length Kg. Let M be a 
generator matrix of an [N = Kg + jj, + 26, Kg + ^,26 + l]g 
MDS code, so that the last /i rows of M form a generator 
matrix of another MDS code. For instance, take 



/ 



M = 



1 

"1 



1 

0(2 



K„ — 


1 


K„ — 1 


"1 


1 


Kg + 1 

"2 



a-^^ «2 



1 

CtN 



\ 



"AT 

Kq+1 
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where ai,a2, ■ ■ ■ ,q:n are pairwise distinct nonzero elements 
in ¥q. Let P be the submatrix of M formed by the first Kg 
rows, and Q the submatrix formed by the last fi rows of M. 
Take 



L = 



Q 



Lemma 5.9: The matrix L in Construction A corresponds 
to a (5-error-correcting /i-randomized {m,n,X, /)-IC over F^. 

Proof: Recall that g S is a random vector The 
encoding function (£ has a form 

<B{x, g) = {x\g)L = xL^°^P + gQ = {xL^''^ \g)M . 

Since M is a generator matrix of a (5-error-correcting code, 
each receiver Ri, i € [m], is able to recover (xL^'^^lg) if 
the number of errors in €{x,g) is less than or equal to 5. 
Therefore, each receiver Ri can recover ajZ,^"-*, and hence, it 
can also recover Xf(^,iy i G [m], as Z/^^-* corresponds to a linear 
(m,n, A:", /)-IC over Fg. ■ 

Lemma 5.10: The matrix L in Construction A corresponds 
to a (/i, i)-strongly secure /i-randomized (m, n, A", /)-IC over 

Proof: Suppose that the adversary A possess a message 
vector xxa, \xxa\ = t- Additionally, A can eavesdrop /i 
transmissions, i.e. it has a knowledge of 6 = (a;|fif)Z/[VF], for 
some W C [A''], \W\ = fj,. Below, we show that the entropy 
of X is not changed given the knowledge of 
and of xxji- It suffices to show that for all a e F^'^*: 



Pr(X 



Xa 



a I iX\G)L[W] = 6, Xxa = 



1 



The left-hand side of ( EZb can be re-written as 

Pr(X^^ ^ g, (X|G)X[W^] = b I X;,, ^ a;;,J 
Pr{{X\G)L[W] ^b\XxA= xxa) 
The numerator in (l2Jt is given by 
Pr(X^^ = a, (X|G)X[iy] - b | = ^Xa) 

= ^<^Xa ^(^\Xxa= XX a) 

X Vr{{X\G)L[W] ^b\x^^=a, Xxa = xxa 
= :^PriiX\G)L[W]^b\X^^ 



(22) 



(23) 



r 
1 1 



1 



n — t-\-fj, ' 



(24) 



The penultimate transition can be explained as follows. We 
have 

b = {X\G)L[W] = XL^°^P[W] + GQ[W] . (25) 

The matrix is invertible due to the fact that Q is a 

generator matrix of an [A^, /i]-MDS code. Since X is known, 
the system ( |25] l has a unique solution given by 

G = (6 - XL^°'>P[W])iQ[W])-^ . 



Since G is uniformly distributed over F^, 

PriiX\G)L[W] =b\X^^^ a,XxA - xxa) 
= Pr(G = (b-Xi("'P[VK])(Q[W^])-i) 



1 



Similarly to (|24] |. the denominator in (l23t is 

Pv{iX\G)L[W] = b\XxA=xxA) 

X Pr{{X\G)L[W] = b\X^=c, Xxa = ^Xa) 



1 1 1 



qn-t ' 



(26) 



From ( |23] l. ( |24] |. and (|26] l. we obtain ( |22] |. as claimed. 



From Theorem l5.8l Lemma |J!9l and Lemma IS. 101 we obtain 
the main result of this section. 

Theorem 5.11: The length of an optimal (/i, (5)-strongly 
secure linear 77-randomized (m, n, X, f)-lC over F^ (q > Kq + 
/i + 2(5 + 1) is Kq + + 26. Moreover, the code in Construction 
A achieves this optimal length. 

VI. Conclusions and Open Questions 

In this paper, we initiate a study of the security aspects of 
linear index coding schemes. We introduce a notion of block 
security and establish two bounds on the security level of a 
linear index code based on the matrix L. These analysis makes 
use of the minimum distance and the dual distance of C{L), 
the code spanned by the columns of L. While the dimension 
of this code corresponds to the number of transmissions in 
the scheme, the minimum distance characterizes its security 
strength. 

Our second contribution is the analysis of the strong security 
of linear index codes. New bounds on the length of linear 
index codes, which are resistant to errors, eavesdropping, and 
information leaking, are established. Index codes that achieve 
these bounds are constructed. These new bounds cannot be 
deduced directly from the existing results in network coding 
literature. 

One important problem, which remains open, deals with 
a design of an optimal secure index coding scheme. This 
problem can be formulated as follows: given an instance of 
the ICSI problem, how to design L, such that C{L) has the 
largest possible minimum distance? More specifically, let us 
define the binary side information matrix A — (aij)ig[„]^ je[n\ 
as in |'6l, namely 



1 if j = i or j e Xi 
otherwise 



The problem is equivalent to finding a way to turn certain off- 
diagonal I's in A into O's, such that the rows of the resulting 
matrix generate an error-correcting code of the largest possible 
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minimum distance. It is very likely that this task is a hard 
problem. For comparison, even finding the minimum distance 
of an error-correcting code given by its generating matrix is 
known to be NP-hard ll32l . 
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